CVE-2025-9560 identifies a stored cross-site scripting (XSS) vulnerability in the Colibri Page Builder plugin for WordPress, specifically within the colibri_newsletter shortcode. This vulnerability stems from improper neutralization of input during web page generation (CWE-79), where user-supplied attributes are not sufficiently sanitized or escaped before being rendered. Authenticated attackers with contributor-level privileges or higher can exploit this flaw by injecting arbitrary JavaScript code into pages or posts. Because the malicious script is stored persistently, it executes in the context of any user who visits the infected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of the user. The vulnerability affects all plugin versions up to and including 1.0.334. The CVSS v3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change. No patches or official fixes have been published yet, and no known exploits are currently observed in the wild. The vulnerability highlights the risks of insufficient input validation in WordPress plugins, especially those that allow user-generated content or shortcode attributes to be rendered dynamically.

This vulnerability poses a significant risk to organizations using the Colibri Page Builder plugin on WordPress sites, particularly those that allow contributor-level users to create or edit content. Exploitation can lead to the injection of malicious scripts that execute in the browsers of site visitors, potentially resulting in session hijacking, credential theft, defacement, or unauthorized actions performed with the victim's privileges. The confidentiality and integrity of user data can be compromised, undermining trust and potentially leading to reputational damage. Since the attack requires authenticated access but no user interaction, insider threats or compromised contributor accounts can be leveraged to exploit this vulnerability. The scope change in CVSS indicates that the impact extends beyond the initially compromised component, affecting other users and possibly administrative functions. Although no active exploits are known, the widespread use of WordPress and the popularity of page builder plugins increase the likelihood of future exploitation attempts, especially in high-profile or targeted websites.

Organizations should immediately audit user roles and permissions, restricting contributor-level access to trusted users only. Implement strict content moderation policies to review any user-generated content or shortcode usage. Until an official patch is released by extendthemes, consider disabling or removing the Colibri Page Builder plugin if feasible, or limit its usage to trusted administrators. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious shortcode attribute patterns or script injections related to colibri_newsletter. Monitor logs for unusual activity from contributor accounts and conduct regular security scans for injected scripts. Educate content creators about the risks of XSS and enforce secure coding practices if custom shortcodes or extensions are developed. Once a patch becomes available, apply it promptly and verify that input sanitization and output escaping are correctly implemented. Additionally, implement Content Security Policy (CSP) headers to reduce the impact of potential XSS attacks by restricting script execution sources.